403 Forbidden when editing application details after enabling Dex

[bzurkowski]

Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug

My team is using Argo CD with Dex to delegate user authentication to Google as the IDP.

Before enabling Dex, everything was working fine. However, after enabling Dex, we encountered a 403 Forbidden error when attempting to edit application details, such as labels or sync policies, through the Argo CD dashboard. These actions are also disallowed even when I log in as an admin user.

Despite this issue, I am still able to perform other actions, such as deleting Pods, via the dashboard. Additionally, editing application details works without any issues when using kubectl.

The applied RBAC policy is as follows:

cm:
  users.anonymous.enabled: "false"
rbac:
  policy.default: "role:authenticated"
  policy.csv: |
    p, role:authenticated, *, *, *, deny
    g, [email protected], role:readonly
    g, [email protected], role:admin

Got similar results with the following policy:

cm:
  users.anonymous.enabled: "false"
rbac:
  policy.default: "role:readonly"
  policy.csv: |
    g, [email protected], role:readonly
    g, [email protected], role:admin

To Reproduce

1. Ensure Dex is enabled with the IDP connector.
2. Attempt to edit application details (e.g., labels or sync policies) through the Argo CD dashboard.

Expected behavior

Editing application details through the Argo CD dashboard should work without encountering a 403 Forbidden error.

Screenshots

Version

v2.12.4

Logs

No relevant information found in logs.

[bzurkowski]

I just noticed that this issue does not occur in other environment where Dex is enabled. I will investigate further, as there might be another underlying issue that could provide valuable insights for others in the future.